Mac and Windows Users Infected By Software Updates Delivered Over Hacked ISP
An anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.
Because the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. "That is the fun/scary part -- this was not the hack of the ISPs DNS servers," Volexity CEO Steven Adair wrote in an online interview. "This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers."
In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices. As for the hacked ISP, the security firm said "it's not a huge one or one you'd likely know."
"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall."
<a href="http://twitter.com/home?status=Mac+and+Windows+Users+Infected+By+Software+Updates+Delivered+Over+Hacked+ISP%3A+https%3A%2F%2Fit.slashdot.org%2Fstory%2F24%2F08%2F06%2F0419236%2F%3Futm_source%3Dtwitter%26utm_medium%3Dtwitter"; rel="nofollow"><img src="https://a.fsdn.com/sd/twitter_icon_large.png"></a>;
<a href="http://www.facebook.com/sharer.php?u=https%3A%2F%2Fit.slashdot.org%2Fstory%2F24%2F08%2F06%2F0419236%2Fmac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp%3Futm_source%3Dslashdot%26utm_medium%3Dfacebook"; rel="nofollow"><img src="https://a.fsdn.com/sd/facebook_icon_large.png"></a>;
https://it.slashdot.org/story/24/08/06/0419236/mac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp?utm_source=rss1.0moreanon&utm_medium=feed
at Slashdot.
https://it.slashdot.org/story/24/08/06/0419236/mac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp?utm_source=rss1.0mainlinkanon&utm_medium=feed
Slashdot (RSS Feed) /
npub1rk…d8w8z
2024-08-06 13:00:00
![https://a.fsdn.com/sd/twitter_icon_large.png"></a>](https://a.fsdn.com/sd/twitter_icon_large.png"></a>){kind=link}
![https://a.fsdn.com/sd/facebook_icon_large.png"></a>](https://a.fsdn.com/sd/facebook_icon_large.png"></a>){kind=link}
Author Public Key
npub1rk3j5fc4ew5w9zd7kx5zfqt04tew0kan9swrr63ctn6k8wp8f65qwd8w8zPublished at
2024-08-06 13:00:00Event JSON
{
"id": "1998b822cecbe8312182a1efbf5f07ee0c57648fa374ea776cf4018cf4ab2a31",
"pubkey": "1da32a2715cba8e289beb1a824816faaf2e7dbb32c1c31ea385cf563b8274ea8",
"created_at": 1722949200,
"kind": 1,
"tags": [
[
"t",
"security"
],
[
"proxy",
"http://rss.slashdot.org/Slashdot/slashdot#https%3A%2F%2Fit.slashdot.org%2Fstory%2F24%2F08%2F06%2F0419236%2Fmac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp%3Futm_source%3Drss1.0mainlinkanon%26utm_medium%3Dfeed",
"rss"
]
],
"content": "Mac and Windows Users Infected By Software Updates Delivered Over Hacked ISP\n\nAn anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.\n \nBecause the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. \"That is the fun/scary part -- this was not the hack of the ISPs DNS servers,\" Volexity CEO Steven Adair wrote in an online interview. \"This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers.\"\n \nIn other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices. As for the hacked ISP, the security firm said \"it's not a huge one or one you'd likely know.\"\n \n\"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall.\"\n\u003ca href=\"http://twitter.com/home?status=Mac+and+Windows+Users+Infected+By+Software+Updates+Delivered+Over+Hacked+ISP%3A+https%3A%2F%2Fit.slashdot.org%2Fstory%2F24%2F08%2F06%2F0419236%2F%3Futm_source%3Dtwitter%26utm_medium%3Dtwitter\" rel=\"nofollow\"\u003e\u003cimg src=\"https://a.fsdn.com/sd/twitter_icon_large.png\"\u003e\u003c/a\u003e\n\u003ca href=\"http://www.facebook.com/sharer.php?u=https%3A%2F%2Fit.slashdot.org%2Fstory%2F24%2F08%2F06%2F0419236%2Fmac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp%3Futm_source%3Dslashdot%26utm_medium%3Dfacebook\" rel=\"nofollow\"\u003e\u003cimg src=\"https://a.fsdn.com/sd/facebook_icon_large.png\"\u003e\u003c/a\u003e\n\n\n\nhttps://it.slashdot.org/story/24/08/06/0419236/mac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp?utm_source=rss1.0moreanon\u0026utm_medium=feed\n at Slashdot.\n\nhttps://it.slashdot.org/story/24/08/06/0419236/mac-and-windows-users-infected-by-software-updates-delivered-over-hacked-isp?utm_source=rss1.0mainlinkanon\u0026utm_medium=feed",
"sig": "67b9bc69d0eac03667bdbe8b144d54e2c2c2e1b5789423c9b14bb20ace199c5fe55ce7fc247c0cf6b9ad55ca73652900390276a94b9b2d06e76e4b7c68340500"
}